Tuesday, December 13, 2011

Using cryptography as a protection from 'Referrer Spam'

I was recently looking at the analytics of my blog and found that for certain visits, the referrer was pointing to some spam websites. After a bit of testing I figured that the referrer section could be spoofed easily while making an HTTP request for any blog hosted by that provider. After some internet lookups, I learnt that the term for such an attack is 'Referrer Spam'. This could mean that someone with the right tools and wrong intent could modify the HTTP header to do two things:

         a. Spoof the referrer
         b. Blank out the referrer

Both of these are not beneficial for analytics or the referrer. One workaround to mitigate such spoofing can be by using cryptography for enforcing integrity checks to avoid feeding false data to the analytics engine. The idea is to encrypt the concatenation of the virtual path in the URL and the Hash of the data in the referrer section.

The following method can be followed:
Referrer Server:
1. Encrypt URL+Hash of data in 'Referrer' section using referrer's private key

Blog's Web Server:
1. Blog provider checks the referrer's section and checks if domain is known.
2. Reconstruct the virtual path by decrypting using referrer's public key and validate the hash with the data in 'Referrer' section.
3. If step 2 does not fail, display the content to user and log data to the analytics engine.
In the above method, symmetric keys can also be used, however, key renewal on a timely basis might be required.

The advantage of the above technique is that unknown referrers can be marked, separated and their IPs can be flagged if further processing of spam source is required.

Cons:
1. Attackers can cause a Denial of Service attack by overloading the Decryption section with junk data
2. Prior key exchange with 'known' referrers is required
3. All unknown referrers are considered as spammers/malicious unless further processing 'clears' them.

No comments:

Post a Comment